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1 CRYPTOGRAPHIC KEYS USING RANDOM NUMBERS INSTEAD OF 

2 RANDOM PRIMES 

3 TECHNICAL FIELD 

4 The present invention relates to a method for providing cryptographic keys usable in a 

5 network of connected computer nodes applying a signature scheme. Further, the present 

6 invention relates to a method for providing a signature value on a message in a network 

7 of connected computer nodes. Moreover, the present invention also relates to a method 

8 for verifying a signature value on a message in a network of connected computer nodes. 

9 BACKGROUND OF THE INVENTION 

1 0 Many cryptographic schemes require the generation of a (random) prime each time it is 

1 1 used. Examples are signature schemes, group signature schemes, or credential systems, 

12 such as the so-called Cramer-Shoup signature scheme by R. Cramer and V. Shoup 

13 "Signature schemes based on the strong RSA assumption/' In Proc. 6th ACM Conference 

14 on Computer and Communications Security, pages 46-52. ACM press, Nov. 1 999, or the 

1 5 credential system by J. Camenisch and A. Lysyanskaya in their article "Efficient 

16 non-transferable anonymous multi-show credential system with optional anonymity 

1 7 revocation. " In B. Pfitzmann, editor, Advances in Cryptology - EUROCRYPT 200 1 , 

1 8 volume 2045 of LNCS, pages 93- 1 1 8, Springer Verlag, 200 1 . The security of all these 

1 9 schemes is based on the so-called strong RSA assumption. More precisely, their security 
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1 proofs require that each signatures or credentials is computed using a unique prime, i.e., 

2 the computation of each signature or credential involves computing an <?-th root where e 

3 is said unique prime. The e is also referred to as unique exponent in the following. 

4 Unfortunately, the generation of primes is computationally expensive, especially if they 

5 need to be large. Because of this, the generation of signatures or credentials in the above 

6 mentioned schemes becomes computationally involved. 

7 For the generation of primes one could in principle each time choose any integer as 

8 unique exponent, as long as it possesses a prime factor that does not appear in any unique 

9 exponent that was used before. This would require to store all exponents used so far and 

10 test the newly chosen exponent against these numbers; which, however, is very 

1 1 inefficient. 

1 2 From the above it follows that there is still a need in the art that the generation of a 

1 3 signature is simplified for these schemes. Usually, a new prime is necessary each time a 

14 signature is generated, this is rather inefficient. Therefore, it is advantageous to provide 

1 5 cryptographic keys and signature values more efficiently. Each signature value should be 

16 verifiable. 

17 GLOSSARY 

1 8 The following are informal definitions to aid in the understanding of the description. 

1 9 Credential: In the present context is understood under the term credential, a 

20 subset of access permissions (developed with the use of media-independent data) 

21 attesting to, or establishing, the identity of an entity, such as a birth certificate, 

22 driver's license, mother's maiden name, social security number, fingerprint, voice 
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1 print, or other biometric parameter(s). Moreover, the credential comprises 

2 information, passed from one entity to another, used to establish the sending 

3 entity's access rights. The term certificate is understood as a particular credential 

4 stating that a certain public key belongs to a certain entity or user. 

5 Signature: A digital signature consists of one or more values that relate a 

6 message to a public key. A signature can only be produced using the secret key 

7 corresponding to the public key. 

8 The following signs relate to the terms indicated beside and are used within the 

9 description. 

10 A, B, C, D computer nodes 

11 p, q primes 

12 n product of p and q 

1 3 sk secret key being derived from p and q 

1 4 A first random limit 

15 v interval widths 

16 A, v exponent-interval description 

17 /exponent interval 

18 u, I security parameter 

19 ^exponent value 

20 e f random prime 

21 m message 

22 x f verification value 

23 H hash function 

24 QR n elements having a square root modulo n 

25 y\ h, x elements of QR n 

26 y computed signature root value 
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y,y\e signature value 
h, x public values 

n, h, x,e\I public key value 

pk public key comprising public key value («, A, x, e\ I) and 



5 



exponent-interval description {A, v) 
u random bit-numbers 



6 



7 SUMMARY OF THE INVENTION 

8 Thus, this invention provides systems, apparatus and methods providing an efficient 

9 scheme for generating a unique exponent or exponent value such that it is no longer 

10 necessary to generate a new prime for each use of them. In an example embodiment, the 

1 1 scheme uses integers drawn from a particular interval instead of primes. Because 

12 choosing a random integer is much more efficient than choosing a prime at random, the 

1 3 issuing of signatures or credentials in resulting schemes will be more efficient. An 

14 observation that allows one to use composites, i.e. non-primes, instead of primes as in the 

15 above mentioned scheme is that it is in fact sufficient for the schemes' security if each 

1 6 unique exponent has a unique prime factor that is sufficiently large. 

1 7 In accordance with a first aspect of the present invention, there is given a method for 

1 8 providing cryptographic keys usable in a network of connected computer nodes A, B, C, 

19 D applying a signature scheme. The method executable by a first computer node A 

20 comprising the steps of: 

2 1 - generating a random secret key sk; 

22 - generating an exponent interval / having a first random limit A, wherein, with a 

23 probability close to certainty, each element of the exponent interval / has a unique 

24 prime factor that is larger than a given security parameter /; 
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1 - providing a public key pk comprising an exponent-interval description A, v and a 

2 public key value n, h, x,e\I derived from the random secret key sk, 

3 such that the random secret key sk and a selected exponent value e from the 

4 exponent interval / are usable for deriving a signature value y 9 y\ e on a message 

5 m to be sent within the network to a second computer node B, C, D for 

6 verification. 



7 In accordance with a second aspect of the present invention, there is given a method for 

8 providing a signature value y 9 y ', e on a message m in a network of connected computer 

9 nodes A, B, C, D, the method executable by a first computer node A comprising the steps 
10 of: 



1 1 - selecting an exponent value e from an exponent interval /, wherein each element 

12 of the exponent interval / has, with a probability close to certainty, a unique prime 

1 3 factor that is larger than a given security parameter /; and 

1 4 - deriving the signature value y 9 y\e from a provided secret key sk, the selected 

1 5 exponent value e 9 and the message m 9 the signature value y 9 y\ e being sendable 

16 within the network to a second computer node B, C, D for verification. 



17 In accordance with a third aspect of the present invention, there is given a method for 

1 8 verifying a signature value y, y \e on a message m in a network of connected computer 

19 nodes A, B, C, D, the method executable by a second computer B, C, D node comprising 

20 the steps of: 



21 - receiving the signature value y 9 y\ e from a first computer node A; and 

22 - verifying whether an exponent value e is contained in an exponent interval /, 

23 wherein each element of the exponent interval / has, with a probability close to 

24 certainty, a unique prime factor that is larger than a given security parameter /, the 

25 signature value y, y \ e is invalid if the exponent value e is not contained in the 

26 exponent interval /. 
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BRIEF DESCRIPTION OF THE DRAWINGS 



2 The invention and its embodiments will be more fully appreciated by reference to the 

3 following detailed description of advantageous and illustrative embodiments in 

4 accordance with the present invention when taken in conjunction with the accompanying 

5 drawings. 

6 FIG. 1 shows a typical network with multiple computer nodes. 

7 FIG. 2 shows a flow diagram according to a first aspect of the invention. 

8 FIG. 3 shows a flow diagram according to a second aspect of the invention. 

9 FIG. 4 shows a flow diagram according to a third aspect of the invention. 

10 The drawings are provided for illustrative purpose only and do not necessarily represent 

1 1 practical examples of the present invention to scale. 

12 DETAILED DESCRIPTION OF THE INVENTION 

1 3 Thus, this invention provides an efficient scheme for generating a unique exponent or 

14 exponent value such that it is no longer necessary to generate a new prime for each use of 

1 5 them. In an example embodiment, the scheme uses integers drawn from a particular 

16 interval instead of primes. Because choosing a random integer is much more efficient 

1 7 than choosing a prime at random, the issuing of signatures or credentials in resulting 

1 8 schemes will be more efficient. An observation that allows one to use composites, i.e. 

19 non-primes, instead of primes as in the above mentioned scheme is that it is in fact 

20 sufficient for the schemes' security if each unique exponent has a unique prime factor that 

21 is sufficiently large. 
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1 In general, at first a sufficiently large set of integers is determined such that all the 

2 integers in the set have a unique prime factor. Once this set is specified, one chooses as 

3 unique exponent a random element from the set. If the set is sufficiently large, one will 

4 with high probability not select the same element twice. This is most efficient if the set is 

5 an interval. Below it is described how to determine intervals such that each integer in the 

6 interval has a unique prime factor. 

7 In accordance with a first aspect of the present invention, there is given a method for 

8 providing cryptographic keys usable in a network of connected computer nodes A, B, C, 

9 D applying a signature scheme. The method executable by a first computer node A 

1 0 comprising the steps of: 

1 1 - generating a random secret key sk; 

1 2 - generating an exponent interval / having a first random limit A, wherein, with a 

1 3 probability close to certainty, each element of the exponent interval / has a unique 

1 4 prime factor that is larger than a given security parameter /; 

1 5 - providing a public key pk comprising an exponent-interval description A 9 v and a 

1 6 public key value n, /z, x, e ', / derived from the random secret key sk, 

1 7 such that the random secret key sk and a selected exponent value e from the 

1 8 exponent interval / are usable for deriving a signature value y 9 y ', e on a message 
19' m to be sent within the network to a second computer node B, C, D for 

20 verification. 

21 The step of generating a random secret key sk can comprise the use of two primes p and 

22 q. The product of the two primes can then be part of the public key pk. As this approach 

23 is based on the hardness of factoring a secure cryptographic system can be achieved. 

24 - 
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In another approach the step of generating a random secret key sk can comprise selecting 
an integer value d which defines a class group G and selecting two elements g and z of 
the class group G. As this approach is based on the hardness of computing roots in groups 
of unknown order, a more secure cryptographic system can thus be provided. The step of 
providing the public key pk can then comprise computing a modified public key value d, 
h, x,e',l under use of the selected two elements g and z and the exponent interval /. This 
is further confirmed by the hardness of computing roots in groups of unknown order and 
thus leads to an even more secure cryptographic system. 

In accordance with a second aspect of the present invention, there is given a method for 
providing a signature value y, y\ e on a message m in a network of connected computer 
nodes A, B, C, D, the method executable by a first computer node A comprising the steps 
of: 



- selecting an exponent value e from an exponent interval /, wherein each element 
of the exponent interval / has, with a probability close to certainty, a unique prime 
factor that is larger than a given security parameter /; and 

- deriving the signature value y,y',e from a provided secret key sk, the selected 
exponent value e, and the message m, the signature value y,y',e being sendable 
within the network to a second computer node B, C, D for verification. 

The step of deriving the signature valuer/, e can further comprise a computation of the 
i-th root y of a value derived from the message m and the secret key sk using a 
cryptographic hash function H. The /' is contemplated as the exponent value /. This allows 
the design of securer cryptographic systems. 

In accordance with a third aspect of the present invention, there is given a method for 
verifying a signature value y,y', e on a message m in a network of connected computer 
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1 nodes A, B, C, D, the method executable by a second computer B, C, D node comprising 

2 the steps of: 



3 
4 
5 
6 
7 



- receiving the signature valuer /, e from a first computer node A; and 

- verifying whether an exponent value e is contained in an exponent interval /, 
wherein each element of the exponent interval / has, with a probability close to 
certainty, a unique prime factor that is larger than a given security parameter /, the 
signature value y,y\ e is invalid if the exponent value e is not contained in the 

8 exponent interval /. 

9 The step of verifying can further comprise a computing step of raising a computed 

10 signature root valuey to the power of the exponent value e. The computed signature root 

1 1 value y forms part of the signature value y, y\ e. 

1 2 Fig. 1 shows a typical network with multiple computer nodes A, B, C, D, where each 

1 3 node can also be contemplated as participating network device. More particularly, the 

1 4 figure shows an example of a common computer system 2, where a random number r is 

1 5 generated. It consists here of four computer nodes A, B, C, and D which are connected 

1 6 via communication lines 5 to the network. Each computer node A, B, C, D may be any 

17 type of computer device known in the art from a computer on a chip or a wearable 

1 8 computer to a large computer system. The communication lines 5 can be any 

1 9 communication means commonly known to transmit data or messages from one computer 

20 node A, B, C, D to another. For instance, the communication lines 5 may be either single, 

21 bi-directional communication lines 5 between each pair of participating network devices 

22 A, B, C, D or one unidirectional line in each direction between each pair of computer 

23 nodes A, B, C, D. Such communication lines 5 are well known in the art. The common 

24 computer system 2 is shown to facilitate the description of the following random number 

25 generation protocol. 
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1 The following describes in more detail how cryptographic keys sk, pk can be provided 

2 well as a signature value,,/, e on a message m is created. Further, the verification of the 

3 signature value y,y',e is shown in more detail. 



4 
5 
6 
7 
8 
9 

10 

11 

12 



14 
15 
16 
17 
18 
19 

20 

21 

22 

23 

24 

25 

26 



Cryptographic keys 

With reference to Fig. 2, the generation of a secret key sk and a public key pk is now 
described. The secret key sk and the public key pk are contemplated as cryptographic 
keys sk, pk which are usable in a network of the connected computer nodes A, B, C, D 
which apply a signature scheme. In the following it is assumed that the first computer 
node A executes the following steps. At first, as indicated in box 20, a random secret key 
sk is generated. For that two primes/, and q forming the secret key can be used, whereby 
the product of the two primes/? and q is part of the public key pk. Then an exponent 
interval / is chosen that can be determined according to the description below, whereby 
13 the exponent interval /has a first random limits, as indicated in box 22. With a 

probability close to certainty, each element of the exponent interval /has a unique prime 
factor that is larger than a given security parameter /. More precisely, let n be the product 
of two sufficiently large primes/, and q,hmdx two elements from QR n and e' a random / 
+ 1 bit prime. Let H be a hash function whose outputs have / bits. As indicated with box 
24, the first computer node A performs some computations and selections in order to 
provide the public key pk as indicated with box 26. The public key pk finally comprises 
an exponent-interval description 4 v and a public key value n, h, x, e>, / which is derived 
from the random secret key sk. As indicated within box 24, the first computer node A 
selects an exponent value e from the exponent interval /and a random prime e', computes 
the product n of the primes/, and q and derives from n the two public values h, x. Thereby 
the random secret key sk and the selected exponent value e are usable for deriving a 
signature value,,,', e on a message m. This signature value,,,', e can then be sent 
within the network 5 to a second computer node B, C, D for verification purposes. 
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1 In a further embodiment, the generation of the random secret key sk comprises the 

2 selection of an integer value d which defines a class group G and the selection of two 

3 elements g and z of said class group G. Consequently, a modified public key value d, h, x, 

4 e ', / can be provided under use of the selected two elements g and z and the exponent 

5 interval /, while e ' is chosen randomly and h, x are calculates as follows: 

* L n* Tie 

1 As this is based on the hardness of computing roots in groups of unknown order, a secure 

8 cryptographic system can be provided. 

9 Fig. 3 shows a flow diagram for deriving the signature value y,y',e that is sendable 

1 0 within the network to the second computer node B, C, D for verification. For the 

1 1 derivation the first computer node A performs a selection of an exponent value e from an 

1 2 exponent interval / as indicated with box 30, wherein each element of the exponent 

1 3 interval / has, with a probability close to certainty, a unique prime factor that is larger 

14 than a given security parameter /. The signature value y, y\ e is then derived, as indicated 

1 5 with box 34 and mathematically shown below, from the provided secret key p and q as 

1 6 indicated with box 3 1 , the selected exponent value e, the message m as indicated with box 

17 32, and part of the public key value n, h, x, e'as indicated with box 33. 

18 In a further embodiment, the signature value y,y',e can be derived by computing the e-th 

1 9 root y of a value derived from the message m, also referred to as computed signature root 

20 value y, and the secret key sk by using a cryptographic hash function H. 

2 1 Mathematically, to sign a message m, the signer, i.e. the first computer node A, chooses a 

22 random element / from QR n or from G, in case of class groups, and an exponent value e 

23 from /, and computes a y such that 
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2 



ye =xh H( X ') 



3 that means the computed signature root value y can be determined as follows 

4 y = (xh H( y te ' h ~ m y e . 

5 To verify a signature, one computes x 1 = y le 'h~ H ^ and checks that y e = xh H{x>) and e e I 

6 holds. 

7 That means for verifying the signature value y 9 y\e on the message m one second 

8 computer node B, C, D receives the signature value y, y\ e, as indicated with box 40, 

9 from the first computer node A. The second computer node B, C, D verifies by using the 

10 provided part of the public key value n, h, x, e' as indicated with box 33 whether or not 

1 1 the exponent value e is contained in the exponent interval / as indicated with box 44. 

12 Thereby each element of the exponent interval / should have, with a probability close to 

1 3 certainty, a unique prime factor that is larger than the given security parameter /. The 

14 signature value y, y\ e is invalid if the exponent value e is not contained in the exponent 

15 interval/. 

1 6 The check comprises computing y e which means that the computed signature root value y 

1 7 that is part of the signature value y 9 y ', e is raised to the power of the exponent value e as 

1 8 shown in the equation above. 

1 9 Choosing an Interval 

20 In the following is addressed how an exponent interval / can be chosen. The above 

21 scheme can be shown secure if the interval / contains only few integers that have either a 

22 distinct prime factor larger than a certain size / or two distinct prime-factors larger than 2 V 

23 (the integers that do not meet these conditions are called (7,v)-smooth) and no integer with 
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1 the largest prime factor smaller than 2\ Therefore, in order to choose an interval / one 

2 need to evaluate the probabilities for that whether a randomly chosen interval meets this 

3 condition. 

4 Let n\ and n 2 denote the biggest and second biggest prime factor of number n, 

5 respectively. Define the quantities 

6 Vfx>y) =# {° <n<x: n) <y} and *Ffw) =#{0 <n<x: n } <y n 2 <z, }. 

7 It can be shown that the probability that randomly chosen interval I^iA.A +2 V ], contains 

8 more than 2 v/5 integers that are (l } v>smooth is at most 9fA> 2\ 2 V ) 2 m I A and that it 

9 contains no odd integer with a prime factor smaller than 2 V is at most ¥(A> 2 V ) 2 V IA } 

10 provided that v<log(A)<\ 2 holds. This now allows one to choose the A, l } and v (and 

1 1 thereby the interval) such that these probabilities are small, i.e., such that / meets the 

12 required condition with sufficiently high probability. To evaluate the quantities Yfcy) 

1 3 and W(x,y,z) one can use bounds on them that are found in literature. 

14 Any disclosed embodiment may be combined with one or several of the other 

1 5 embodiments shown and/or described. This is also possible for one or more features of 

1 6 the embodiments. Variations described for the present invention can be realized in any 

17 combination desirable for each particular application. Thus particular, limitations, and/or 

1 8 embodiment enhancements described herein, which may have particular advantages to a 

19 particular application need not be used for all applications. Also, not all limitations need 

20 be implemented in methods, systems and/or apparatus including one or more concepts of 

2 1 the present invention. 

22 The present invention can be realized in hardware, software, or a combination of 

23 hardware and software. A visualization tool according to the present invention can be 

24 realized in a centralized fashion in one computer system, or in a distributed fashion where 
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1 different elements are spread across several interconnected computer systems. Any kind 

2 of computer system - or other apparatus adapted for carrying out the methods and/or 

3 functions described herein - is suitable. A typical combination of hardware and software 

4 could be a general purpose computer system with a computer program that, when being 

5 loaded and executed, controls the computer system such that it carries out the methods 

6 described herein. The present invention can also be embedded in a computer program 

7 product, which comprises all the features enabling the implementation of the methods 

8 described herein, and which - when loaded in a computer system - is able to carry out 

9 these methods. 



1 0 Computer program means or computer program in the present context include any 

1 1 expression, in any language, code or notation, of a set of instructions intended to cause a 

12 system having an information processing capability to perform a particular function 

1 3 either directly or after conversion to another language, code or notation, and/or 

1 4 reproduction in a different material form. 



1 5 Thus the invention includes an article of manufacture which comprises a computer usable 

1 6 medium having computer readable program code means embodied therein for causing a 

1 7 function described above. The computer readable program code means in the article of 

1 8 manufacture comprises computer readable program code means for causing a computer to 

19 effect the steps of a method of this invention. Similarly, the present invention may be 

20 implemented as a computer program product comprising a computer usable medium 

21 having computer readable program code means embodied therein for causing a a function 

22 described above. The computer readable program code means in the computer program 

23 product comprising computer readable program code means for causing a computer to 

24 effect one or more functions of this invention. Furthermore, the present invention may be 

25 implemented as a program storage device readable by machine, tangibly embodying a 

26 program of instructions executable by the machine to perform method steps for causing 

27 one or more functions of this invention. 
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1 It is noted that the foregoing has outlined some of the more pertinent objects and 

2 embodiments of the present invention. This invention may be used for many 

3 applications. Thus, although the description is made for particular arrangements and 

4 methods, the intent and concept of the invention is suitable and applicable to other 

5 arrangements and applications. It will be clear to those skilled in the art that 

6 modifications to the disclosed embodiments can be effected without departing from the 

7 spirit and scope of the invention. The described embodiments ought to be construed to 

8 be merely illustrative of some of the more prominent features and applications of the 

9 invention. Other beneficial results can be realized by applying the disclosed invention in 

10 a different manner or modifying the invention in ways known to those familiar with the 

11 art. 
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